Privacy & Compliance News
Curated headlines and analysis from the world of data privacy, security regulations, and compliance enforcement.
IAPP Global Summit 2026: Paper Compliance Is No Longer Sufficient
The 2026 IAPP Global Summit in Washington, D.C. delivered a clear message from regulators worldwide: demonstrating compliance on paper without operational evidence will no longer pass enforcement scrutiny. Board-level accountability for privacy governance is becoming a regulatory expectation.
This is exactly the shift we built for. Control-based compliance with an audit trail proves operational execution — not just policy documents. When regulators ask "show me it works," you need a system that can answer.
Eurail Data Breach Exposes Passport Data of 300,000+ Travelers
European rail pass provider Eurail is notifying over 300,000 people that their personal information — including names and passport numbers — was stolen in a December 2025 breach discovered months later.
Passport numbers are high-value PII that triggers mandatory breach notifications under GDPR. Automated data classification would have flagged this data store as critical, enabling faster detection and a more targeted response.
Crunchbase Confirms Data Breach After Hacking Claims
Business data platform Crunchbase confirmed a data breach after hackers claimed to have accessed its systems. The incident exposed company and user data from one of the most widely used startup databases.
Even data platforms that aggregate public information hold enough private metadata — emails, usage patterns, internal notes — to make a breach damaging. Know what you store, classify it, and protect it accordingly.
Shadow AI Is the Fastest-Growing Data Exposure Risk in Enterprises
Employees using unauthorized AI tools are sharing sensitive data — source code, legal documents, M&A details — with AI services outside IT visibility. Organizations with high shadow AI usage face breach costs averaging $4.63 million, $670K more than those without.
You cannot protect data you do not know is leaving your environment. Automated data discovery that maps where sensitive information flows — including to third-party AI services — is the first line of defense against shadow AI exposure.
Navia Data Breach Impacts 2.7 Million Individuals
Navia Benefit Solutions is notifying 2.7 million people that their personal information was stolen after hackers had access to its systems for over three weeks.
Three weeks of undetected access. Automated data discovery would have flagged the anomalous access patterns and identified exactly what sensitive data was at risk — in hours, not weeks.
California Privacy Enforcement in 2026: DROP Platform Reaches 215,000 Residents
CalPrivacy launched its DELETE Request and Opt-Out Platform (DROP), already adopted by over 215,000 residents. The agency has appointed its first chief auditor and has over 100 open investigations with approximately 10,000 consumer complaints since inception.
California is operationalizing privacy rights at scale. If your organization processes California residents' data, automated DSR fulfillment is no longer optional — it is the expected baseline.
European Commission Misses Deadline for AI Act High-Risk System Guidance
The European Commission failed to meet its February 2 deadline for publishing guidance on how to identify high-risk AI systems under Article 6 of the AI Act. With full enforcement of high-risk obligations set for August 2026, organizations face compliance uncertainty.
Regulatory uncertainty does not mean you can wait. Organizations using AI in data processing should start mapping their AI systems to the high-risk categories now — the enforcement date is fixed even if the guidance is late.
Hackers Leak 5.1 Million Panera Bread Customer Records
ShinyHunters leaked 5.1 million Panera Bread customer records after a failed extortion attempt. The group bypassed security using a stolen Microsoft Entra SSO code, part of a broader campaign targeting IT help desks via voice phishing.
SSO credential theft is the new front door. Identity-first breaches bypass traditional perimeter controls entirely. Organizations need to know what data each SSO-connected system can access — before an attacker maps it for them.
Healthcare Ransomware Attacks Surge to Record Highs
Health-ISAC reports ransomware attacks against healthcare organizations surged to record levels in late 2025, with patient data exposure driving regulatory fines alongside operational disruption.
Healthcare orgs that already know where their sensitive data lives can contain breaches faster and report to regulators with confidence. The ones still doing manual inventories are the ones paying millions.
New Year, New Rules: US State Privacy Laws Coming Online in 2026
Indiana, Kentucky, and Rhode Island privacy laws took effect January 1, 2026, alongside California's new automated decision-making and data broker regulations. Over 20 US states now have comprehensive privacy laws, each with distinct compliance requirements.
Twenty-plus state privacy laws with overlapping but distinct requirements make manual compliance tracking impossible. A control-based engine that maps obligations across jurisdictions automatically is the only scalable approach.
Joint Guidelines on GDPR-AI Act Interplay to Come Soon, EDPS Says
The European Data Protection Supervisor is developing joint guidance with the European Commission on how the GDPR and AI Act interact, addressing overlapping compliance obligations.
Overlapping regulations mean overlapping controls. A control-based compliance engine handles this natively — one control maps to both GDPR Article 22 and AI Act obligations without duplication.
With Rules Finalized, India's DPDPA Takes Force
India's Ministry of Electronics and IT finalized DPDPA regulations, ending a two-year wait. Data fiduciaries must comply within 18 months, with the Data Protection Board now established.
The 18-month clock is ticking. Indian enterprises need automated data inventories and consent management yesterday — manual approaches won't scale to DPDPA's requirements.
Engineering GDPR Compliance in the Age of Agentic AI
Paper controls and periodic audits can no longer carry the compliance load alone. The answer is to turn compliance into engineering — embedding data protection into systems architecture rather than treating it as a legal afterthought.
We built IQWorks around this exact premise. Compliance controls should be executable code, not PDF documents. When a control fails, it should generate a violation with a direct link to the fix — not an email to legal.
GDPR Fines Surpass EUR 7.1 Billion as Enforcement Accelerates
Cumulative GDPR fines have surpassed EUR 7.1 billion with over 2,800 fines issued. More than 60% of the total has landed since January 2023, and regulators now receive 443 breach notifications per day — a 22% year-over-year increase.
Fines are accelerating, not plateauing. Regulators are increasingly penalizing structural control deficiencies — weak vendor management, missing encryption, inadequate logging — rather than waiting for a breach to occur. Prove your controls work before they ask.
Data Breach at Healthcare Firm Episource Impacts 5.4 Million People
Healthcare services firm Episource disclosed unauthorized access to its systems, exposing personal and medical data of 5.4 million individuals — highlighting the critical need for automated data discovery.
Another healthcare breach, another organization that didn't know exactly what sensitive data it was holding or where. Automated classification turns "we're investigating what was exposed" into "here's exactly what was affected."
Adidas Data Breach Linked to Third-Party Vendor
Adidas disclosed a data breach after attackers accessed customer data through a third-party customer service provider — highlighting how interconnected supply chains create vendor risk blind spots.
This is the vendor risk blind spot in action. If you don't know which vendors process which data, you can't assess the blast radius when they get breached. Inventory-driven vendor risk management isn't optional anymore.
Top 5 Impacts of the New COPPA Rule
The FTC finalized the first major update to the COPPA Rule since 2013, requiring separate parental consent for third-party data sharing and targeted advertising. Companies must comply by April 22, 2026.
Children's data is the highest-liability category in privacy. If your platform touches minors' data, automated classification that flags it before it enters your processing pipeline is the baseline — not the stretch goal.
EU AI Act: First Compliance Deadline Hits as Prohibited Practices Ban Takes Effect
The EU AI Act's first compliance milestone arrived in February 2026, banning AI systems deemed an unacceptable risk — including social scoring, real-time biometric surveillance, and manipulative AI. Organizations face fines up to 7% of global turnover.
If you use AI in data processing decisions, your compliance scope just widened. Map AI-driven processing activities now — before the high-risk deadlines hit in August.